Plumb trust domain through to helm chart (#4877)

* Plumb trust domain through to helm chart

Signed-off-by: Keith Mattix II <[email protected]>

* Address PR comments

Signed-off-by: Keith Mattix II <[email protected]>

Author: keithmattix

charts/osm/templates/osm-bootstrap-deployment.yaml

@@ -61,6 +61,7 @@ spec:
             "--osm-version", "{{ .Chart.AppVersion }}",
             "--ca-bundle-secret-name", "{{.Values.osm.caBundleSecretName}}",
             "--certificate-manager", "{{.Values.osm.certificateProvider.kind}}",
+            "--trust-domain", "{{.Values.osm.trustDomain}}",
             "--enable-mesh-root-certificate={{.Values.osm.featureFlags.enableMeshRootCertificate}}",
             {{ if eq .Values.osm.certificateProvider.kind "vault" }}
             "--vault-host", "{{.Values.osm.vault.host}}",

charts/osm/templates/osm-deployment.yaml

@@ -61,6 +61,7 @@ spec:
             "--validator-webhook-config", "{{ include "osm.validatorWebhookConfigName" . }}",
             "--ca-bundle-secret-name", "{{.Values.osm.caBundleSecretName}}",
             "--certificate-manager", "{{.Values.osm.certificateProvider.kind}}",
+            "--trust-domain", "{{.Values.osm.trustDomain}}",
             "--enable-mesh-root-certificate={{.Values.osm.featureFlags.enableMeshRootCertificate}}",
             {{ if eq .Values.osm.certificateProvider.kind "vault" }}
             "--vault-host", "{{ required "osm.vault.host is required when osm.certificateProvider.kind==vault" .Values.osm.vault.host }}",

charts/osm/templates/osm-injector-deployment.yaml

@@ -58,6 +58,7 @@ spec:
             "--webhook-timeout", "{{.Values.osm.injector.webhookTimeoutSeconds}}",
             "--ca-bundle-secret-name", "{{.Values.osm.caBundleSecretName}}",
             "--certificate-manager", "{{.Values.osm.certificateProvider.kind}}",
+            "--trust-domain", "{{.Values.osm.trustDomain}}",
             "--enable-mesh-root-certificate={{.Values.osm.featureFlags.enableMeshRootCertificate}}",
             {{ if eq .Values.osm.certificateProvider.kind "vault" }}
             "--vault-host", "{{.Values.osm.vault.host}}",

cmd/osm-bootstrap/osm-bootstrap.go

@@ -63,6 +63,7 @@ var (
 	osmMeshConfigName  string
 	meshName           string
 	osmVersion         string
+	trustDomain        string
 
 	certProviderKind          string
 	enableMeshRootCertificate bool
@@ -99,6 +100,9 @@ func init() {
 	flags.BoolVar(&enableMeshRootCertificate, "enable-mesh-root-certificate", false, "Enable unsupported MeshRootCertificate to create the OSM Certificate Manager")
 	flags.StringVar(&caBundleSecretName, "ca-bundle-secret-name", "", "Name of the Kubernetes Secret for the OSM CA bundle")
 
+	// TODO (#4502): Remove when we add full MRC support
+	flags.StringVar(&trustDomain, "trust-domain", "cluster.local", "The trust domain to use as part of the common name when requesting new certificates")
+
 	// Vault certificate manager/provider options
 	flags.StringVar(&vaultOptions.VaultProtocol, "vault-protocol", "http", "Host name of the Hashi Vault")
 	flags.StringVar(&vaultOptions.VaultHost, "vault-host", "vault.default.svc.cluster.local", "Host name of the Hashi Vault")
@@ -230,7 +234,7 @@ func main() {
 				"Error initializing certificate manager of kind %s from MRC", certProviderKind)
 		}
 	} else {
-		certManager, err = providers.NewCertificateManager(ctx, kubeClient, kubeConfig, cfg, osmNamespace, certOpts, msgBroker, 5*time.Second)
+		certManager, err = providers.NewCertificateManager(ctx, kubeClient, kubeConfig, cfg, osmNamespace, certOpts, msgBroker, 5*time.Second, trustDomain)
 		if err != nil {
 			events.GenericEventRecorder().FatalEvent(err, events.InvalidCertificateManager,
 				"Error initializing certificate manager of kind %s", certProviderKind)

cmd/osm-controller/osm-controller.go

@@ -73,6 +73,7 @@ var (
 	caBundleSecretName         string
 	osmMeshConfigName          string
 	osmVersion                 string
+	trustDomain                string
 
 	certProviderKind          string
 	enableMeshRootCertificate bool
@@ -106,6 +107,9 @@ func init() {
 	flags.BoolVar(&enableMeshRootCertificate, "enable-mesh-root-certificate", false, "Enable unsupported MeshRootCertificate to create the OSM Certificate Manager")
 	flags.StringVar(&caBundleSecretName, "ca-bundle-secret-name", "", "Name of the Kubernetes Secret for the OSM CA bundle")
 
+	// TODO (#4502): Remove when we add full MRC support
+	flags.StringVar(&trustDomain, "trust-domain", "cluster.local", "The trust domain to use as part of the common name when requesting new certificates")
+
 	// Vault certificate manager/provider options
 	flags.StringVar(&vaultOptions.VaultProtocol, "vault-protocol", "http", "Host name of the Hashi Vault")
 	flags.StringVar(&vaultOptions.VaultHost, "vault-host", "vault.default.svc.cluster.local", "Host name of the Hashi Vault")
@@ -222,7 +226,7 @@ func main() {
 		}
 	} else {
 		certManager, err = providers.NewCertificateManager(ctx, kubeClient, kubeConfig, cfg, osmNamespace,
-			certOpts, msgBroker, 5*time.Second)
+			certOpts, msgBroker, 5*time.Second, trustDomain)
 		if err != nil {
 			events.GenericEventRecorder().FatalEvent(err, events.InvalidCertificateManager,
 				"Error fetching certificate manager of kind %s", certProviderKind)

cmd/osm-injector/osm-injector.go

@@ -57,6 +57,7 @@ var (
 	osmMeshConfigName  string
 	webhookTimeout     int32
 	osmVersion         string
+	trustDomain        string
 
 	certProviderKind          string
 	enableMeshRootCertificate bool
@@ -92,6 +93,9 @@ func init() {
 	flags.BoolVar(&enableMeshRootCertificate, "enable-mesh-root-certificate", false, "Enable unsupported MeshRootCertificate to create the OSM Certificate Manager")
 	flags.StringVar(&caBundleSecretName, "ca-bundle-secret-name", "", "Name of the Kubernetes Secret for the OSM CA bundle")
 
+	// TODO (#4502): Remove when we add full MRC support
+	flags.StringVar(&trustDomain, "trust-domain", "cluster.local", "The trust domain to use as part of the common name when requesting new certificates")
+
 	// Vault certificate manager/provider options
 	flags.StringVar(&vaultOptions.VaultProtocol, "vault-protocol", "http", "Host name of the Hashi Vault")
 	flags.StringVar(&vaultOptions.VaultHost, "vault-host", "vault.default.svc.cluster.local", "Host name of the Hashi Vault")
@@ -216,7 +220,7 @@ func main() {
 		}
 	} else {
 		certManager, err = providers.NewCertificateManager(ctx, kubeClient, kubeConfig, cfg, osmNamespace,
-			certOpts, msgBroker, 5*time.Second)
+			certOpts, msgBroker, 5*time.Second, trustDomain)
 		if err != nil {
 			events.GenericEventRecorder().FatalEvent(err, events.InvalidCertificateManager,
 				"Error initializing certificate manager of kind %s", certProviderKind)

pkg/certificate/fake_manager.go

@@ -45,6 +45,7 @@ func (c *fakeMRCClient) Watch(ctx context.Context) (<-chan MRCEvent, error) {
 					Namespace: "osm-system",
 				},
 				Spec: v1alpha2.MeshRootCertificateSpec{
+					TrustDomain: "fake.domain.com",
 					Provider: v1alpha2.ProviderSpec{
 						Tresor: &v1alpha2.TresorProviderSpec{
 							CA: v1alpha2.TresorCASpec{

pkg/certificate/manager.go

@@ -129,7 +129,7 @@ func (m *Manager) handleMRCEvent(mrcClient MRCClient, event MRCEvent) error {
 			return err
 		}
 
-		c := &issuer{Issuer: client, ID: mrc.Name, CertificateAuthority: ca}
+		c := &issuer{Issuer: client, ID: mrc.Name, CertificateAuthority: ca, TrustDomain: mrc.Spec.TrustDomain}
 		switch {
 		case mrc.Status.State == constants.MRCStateActive:
 			m.mu.Lock()

pkg/certificate/manager_test.go

@@ -7,9 +7,12 @@ import (
 
 	tassert "github.com/stretchr/testify/assert"
 	trequire "github.com/stretchr/testify/require"
+	v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 
 	"github.com/openservicemesh/osm/pkg/announcements"
+	"github.com/openservicemesh/osm/pkg/apis/config/v1alpha2"
 	"github.com/openservicemesh/osm/pkg/certificate/pem"
+	"github.com/openservicemesh/osm/pkg/constants"
 	"github.com/openservicemesh/osm/pkg/messaging"
 )
 
@@ -313,3 +316,52 @@ func TestIssueCertificate(t *testing.T) {
 		assert.Nil(cert)
 	})
 }
+
+func TestHandleMRCEvent(t *testing.T) {
+	testCases := []struct {
+		name                 string
+		mrcClient            MRCClient
+		mrcEvent             MRCEvent
+		wantErr              bool
+		wantSigningIssuer    issuer
+		wantValidatingIssuer issuer
+	}{
+		{
+			name:      "success",
+			mrcClient: &fakeMRCClient{},
+			mrcEvent: MRCEvent{
+				Type: MRCEventAdded,
+				MRC: &v1alpha2.MeshRootCertificate{
+					ObjectMeta: v1.ObjectMeta{
+						Name: "my-mrc",
+					},
+					Spec: v1alpha2.MeshRootCertificateSpec{
+						TrustDomain: "foo.bar.com",
+					},
+					Status: v1alpha2.MeshRootCertificateStatus{
+						State: constants.MRCStateActive,
+					},
+				},
+			},
+			wantSigningIssuer:    issuer{Issuer: &fakeIssuer{}, ID: "my-mrc", TrustDomain: "foo.bar.com", CertificateAuthority: pem.RootCertificate("rootCA")},
+			wantValidatingIssuer: issuer{Issuer: &fakeIssuer{}, ID: "my-mrc", TrustDomain: "foo.bar.com", CertificateAuthority: pem.RootCertificate("rootCA")},
+		},
+	}
+
+	for _, tt := range testCases {
+		t.Run(tt.name, func(t *testing.T) {
+			assert := tassert.New(t)
+			m := &Manager{}
+
+			err := m.handleMRCEvent(tt.mrcClient, tt.mrcEvent)
+			if !tt.wantErr {
+				assert.NoError(err)
+			} else {
+				assert.Error(err)
+			}
+
+			assert.Equal(tt.wantSigningIssuer, *m.signingIssuer)
+			assert.Equal(tt.wantValidatingIssuer, *m.validatingIssuer)
+		})
+	}
+}

pkg/certificate/providers/config.go

@@ -44,7 +44,7 @@ var getCA func(certificate.Issuer) (pem.RootCertificate, error) = func(i certifi
 // NewCertificateManager returns a new certificate manager with a MRC compat client.
 // TODO(4713): Remove and use NewCertificateManagerFromMRC
 func NewCertificateManager(ctx context.Context, kubeClient kubernetes.Interface, kubeConfig *rest.Config, cfg configurator.Configurator,
-	providerNamespace string, option Options, msgBroker *messaging.Broker, checkInterval time.Duration) (*certificate.Manager, error) {
+	providerNamespace string, option Options, msgBroker *messaging.Broker, checkInterval time.Duration, trustDomain string) (*certificate.Manager, error) {
 	if err := option.Validate(); err != nil {
 		return nil, err
 	}
@@ -63,7 +63,7 @@ func NewCertificateManager(ctx context.Context, kubeClient kubernetes.Interface,
 			},
 			Spec: v1alpha2.MeshRootCertificateSpec{
 				Provider:    option.AsProviderSpec(),
-				TrustDomain: "cluster.local",
+				TrustDomain: trustDomain,
 			},
 			Status: v1alpha2.MeshRootCertificateStatus{
 				State: constants.MRCStateActive,

pkg/certificate/providers/config_test.go

@@ -143,7 +143,7 @@ func TestGetCertificateManager(t *testing.T) {
 				getCA = oldCA
 			}()
 
-			manager, err := NewCertificateManager(context.Background(), tc.kubeClient, tc.restConfig, tc.cfg, tc.providerNamespace, tc.options, tc.msgBroker, 1*time.Hour)
+			manager, err := NewCertificateManager(context.Background(), tc.kubeClient, tc.restConfig, tc.cfg, tc.providerNamespace, tc.options, tc.msgBroker, 1*time.Hour, "cluster.local")
 			if tc.expectError {
 				assert.Empty(manager)
 				assert.Error(err)